44 lines
1.2 KiB
Plaintext
44 lines
1.2 KiB
Plaintext
[role="xpack"]
|
|
[testenv="basic"]
|
|
[[eql-limitations]]
|
|
== EQL limitations
|
|
++++
|
|
<titleabbrev>Limitations</titleabbrev>
|
|
++++
|
|
|
|
experimental::[]
|
|
|
|
[discrete]
|
|
[[eql-nested-fields]]
|
|
=== EQL search on nested fields is not supported
|
|
|
|
You cannot use EQL to search the values of a <<nested,`nested`>> field or the
|
|
sub-fields of a `nested` field. However, data streams and indices containing
|
|
`nested` field mappings are otherwise supported.
|
|
|
|
[discrete]
|
|
[[eql-unsupported-syntax]]
|
|
=== Unsupported syntax
|
|
|
|
{es} supports a subset of {eql-ref}/index.html[EQL syntax]. {es} cannot run EQL
|
|
queries that contain:
|
|
|
|
* Array functions:
|
|
** {eql-ref}/functions.html#arrayContains[`arrayContains`]
|
|
** {eql-ref}/functions.html#arrayCount[`arrayCount`]
|
|
** {eql-ref}/functions.html#arraySearch[`arraySearch`]
|
|
|
|
* {eql-ref}/joins.html[Joins]
|
|
|
|
* {eql-ref}/basic-syntax.html#event-relationships[Lineage-related keywords]:
|
|
** `child of`
|
|
** `descendant of`
|
|
** `event of`
|
|
|
|
* The following {eql-ref}/pipes.html[pipes]:
|
|
** {eql-ref}/pipes.html#count[`count`]
|
|
** {eql-ref}/pipes.html#filter[`filter`]
|
|
** {eql-ref}/pipes.html#sort[`sort`]
|
|
** {eql-ref}/pipes.html#unique[`unique`]
|
|
** {eql-ref}/pipes.html#unique-count[`unique_count`]
|